Straing apparmor output on host


I’m getting the following strange output in syslog on my host server. I’m not sure what is going on there as I don’t mount anything on my containers. I use a bind from the master. All my mounts are up and working. Have any of you seen this?

Apr 24 04:09:06 server17 kernel: [540460.355400] audit: type=1400 audit(1556071746.441:5096): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-kannel-live-grapevc-1_</var/lib/lxd>" name="/home/" pid=13575 comm="(ionclean)" flags="ro, nosuid, nodev, remount, bind"

The only fstab entry I have on the containers is

LABEL=cloudimg-rootfs	/	 ext4	defaults	0 0

Any help will be appreciated.

From what I remember, ionclean is some PHP process which tries to do some odd mount namespace operations, including the one you see in your logs. From past experience, the only real side-effect of this is the log entry, I don’t remember seeing any report of an actual problem being caused by it.

Ok, thanks :slight_smile:

Oh bother, apparmor displays


while it probably really means ‘command: sessionclean’. Hrrmf.

This is coming it seems from a protection feature created by systemd to reduce the risks caused by system services (if they are subverted of course), in this case the one created by Debian/Ubuntu packagers to clean old Php session files (service that is possibly never used anyway), but it seems that this protection feature is actually seen by apparmor as a forbidden access when used by containers and interpreted as a possible security issue.
Mandatory access control is a good idea but I’m not sure that it’s currently working very well with containers - and basic reporting is not very good.